Redeploy etcd certificates during upgrade when etcd hostname not present in etcd serving cert SAN.

1 files changed, 22 insertions, 0 deletions

diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml
index 693ab2d96..5ee8a9d78 100644
--- a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml
+++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml
@@ -92,3 +92,25 @@
         state: started
         enabled: yes
       with_items: "{{ master_services }}"
+
+# Until openshift-ansible is determining which host is the CA host we
+# must (unfortunately) ensure that the first host in the etcd group is
+# the etcd CA host.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1469358
+- name: Verify we can proceed on first etcd
+  hosts: oo_first_etcd
+  gather_facts: no
+  tasks:
+  - name: Ensure CA exists on first etcd
+    stat:
+      path: /etc/etcd/generated_certs
+    register: __etcd_ca_stat
+
+  - fail:
+      msg: >
+        In order to correct an etcd certificate signing problem
+        upgrading may require re-generating etcd certificates. Please
+        ensure that the /etc/etcd/generated_certs directory exists on
+        the first host defined in your [etcd] group.
+    when:
+    - not __etcd_ca_stat.stat.exists | bool